Hybrid mobile payment products open up security risks, warns Frost & Sullivan
The integration of cloud-based offerings and near-field communication technology in the mobile payments market poses security risks, warned research firm Frost & Sullivan.
A cloud-based mobile payment product uses a mobile app, such as PayPal, which requires authentication prior to connecting with the cloud-stored account details to process the transaction. Data is stored virtually and is not easy to access or track, assuming the cloud provider offers appropriate protection, Frost & Sullivan explained.
A mobile payment product based on NFC provides a multi-layered approach to security. The individual's account and card details are stored in a secure element within the mobile device. The secure element could be embedded in the mobile device or offered as a removable secure digital card by the service provider, Frost & Sullivan related.
At the same time, mobile payment security providers, such as ARM, Gemalto and Giesecke & Devrient, are working on developing the trusted execution environment as a security standard.
"The TEE is a secure area that resides in the main processor of a smart phone (or any mobile device) and ensures that sensitive data is stored, processed and protected in a trusted environment. The TEE's ability to offer safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights," explained Kevin Gillick, executive director of the nonprofit Global Platform association.
While either a cloud-based offering or an NFC-based solution might provide sufficient security, a hybrid solution in which sensitive information is transmitted from the mobile phone to the cloud might be vulnerable to hacking, according to Frost & Sullivan research analyst Shuba Ramkumar. This might require additional measures to lessen the security risks involved with data transmission.
"This should be done in respect of international payment standards such as PCI DSS [Payment Card Industry Data Security Standard] in order to protect personal data during data transfer. At the moment, the security used for cloud-based solutions is mostly the same as the one for e-commerce ... This is probably a first step to accelerate cloud-based payment solutions, but at the end, a higher level of security will probably be needed," concluded Ramkumar.